How I found Reflective XSS in Yahoo Subdomain

When 2017 started,I had a bounty goal of finding a bug in Yahoo but I never actually got time to look into their program. One day I planned to go for it.So here is the writeup on how I found Reflective XSS on a yahoo subdomain. This is my first writeup so please ignore any mistakes that you find.

I reported the bug to Yahoo and the bug was Resolved the very next day.I rechecked the Vulnerable URL and was not able to reproduce the issue.

After 2 days,I was getting Bored and thought about retesting around the same XSS bug.This time I found that <script><img> tags were being filtered.

So I started trying different combination of payloads to see if I can break the URL. To get <script> tag working,I broke it in pieces like below and added that to the old vulnerable URL and Hurray!!!

Payload: <scr<script>ipt>alert(1)</scr</script>ipt>

Tips:

Always Retest your bugs after its marked Resolved.There is a good chance that you will find a bypass.

I have seen some folks using tools/scripts to get sublist3r output in hyperlinks format.You can simply copy sublist3r output, paste it in gmail and mail it to yourself to get the output URL’s as hyperlinks.

Thanks for taking time to read my blog. For any questions, you can get in touch with me at Syntaxerror